The Shared Responsibility of Cloud Security
Even doubters now agree that the forecast of the future of cloud computing is sunnier than ever. As more and more people and organizations transition to cloud services, the question of how to keep the cloud secure becomes more important than ever. Though initially unclear, as the latest report from the Cloud Security Alliance (CSA) suggests, the agreement that cloud security is a shared responsibility between cloud providers and cloud users has now firmly taken hold. How those responsibilities shake out, however, is an ongoing conversation.
Are all clouds the same?
The CSA’s report, Guideline of Effectively Managing Security Service in the Cloud released earlier this October, notes that different types of clouds have different security expectations. But first, it’s important to understand the different types of cloud environments. Below are the three main categories:
IaaS – Iaas, which stands for Infrastructure as a Service, is the most high-level cloud platform, providing users with virtual computing machines for development and storage.
PaaS – PaaS, meaning Platform as a Service, allows for users to both build and manage applications in a cloud environment.
SaaS – Saas, or Software as a Service, is a licensing model in which a vendor provides its software applications to customers by hosting it through a third-party cloud service.
Who secures what?
Much of the confusion surrounding the shared responsibility model comes from these three types of environments. Depending on which environment an organization uses, their responsibilities will vary. Furthermore, different cloud providers may also have their own discrepancies in security expectations. Finally, geographical location also matters. With the GDPR in place, the European Union has additional expectations for organizations utilizing cloud services.
However, there are a few things that always fall on those utilizing the cloud, and specific tools have been developed to assist with these security needs. Organizations employing or hoping to employ cloud services must be vigilant and take proactive measures to ensure the safety of their data. There is no guarantee that a cloud provider will specify exactly when and where security tools should be leveraged.
Cloud security tools of the trade
In order for a cloud service to maintain a customer’s privacy, identity and access management must remain the responsibility of the organization utilizing the cloud. Additionally, the security of the data that resides in the cloud must also be managed by the data’s owner. Finally, security configuration must be kept up to date in order to maintain compliance.
Access management – Ensuring limited access to the cloud is critical to maintaining security. Privileged Access Management (PAM) solutions are designed to authorize and authenticate users, giving them only the access necessary to their job functions. For example, Powertech Identity & Access Management (BoKS), utilizes granular access controls for each job role, defining who can have access to each part of a system at any given time, as well as what they can do with that access.
Data security – SIEM (security information and event management) software constantly process event data, looking for threats from a variety of sources within an organization’s cloud environment. For example, Powertech Event Manager streamlines security and provides insights into potential security events through data interpretation and threat prioritization.
Security configuration management – Ensuring proper configuration across all your systems is critical to ensure your cloud environment’s safety. Doing this manually is a daunting task that leaves your organization open to the risk of breaches. Tools like Powertech Security Auditor automatically protect new systems as they come online and continuously monitors those systems, identifying and adjusting any configuration settings that don’t match your requirements.
As long as cloud servers are here to stay, so too is the need to protect them. Since both cloud providers and users have a stake in securing the cloud, it is important to learn what exactly is needed to do your part, and to find the best tools to maintain safeguards for your organization’s data. To discuss how Core Security can help keep your organization’s cloud secure, reach out to one of our security experts today.